Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[WIP] x509_certificate(_pipe): add regenerate option #310

Closed
wants to merge 2 commits into from
Closed

[WIP] x509_certificate(_pipe): add regenerate option #310

wants to merge 2 commits into from

Conversation

felixfontein
Copy link
Contributor

SUMMARY

Adds a regenerate option to x509_certificate(_pipe) similar to the one of openssl_privatekey. This gives the user more fine-grained controlled when certificates should be regenerated.

This is a breaking change since it adjusts the behavior to the one of openssl_privatekey: if the certificate was broken, it will no longer be always regenerated, but only if regenerate is set to always or full_idempotence (or if force=true, which implies regenerate=always).

Fixes #295.

ISSUE TYPE
  • Feature Pull Request
COMPONENT NAME

x509_certificate
x509_certificate_info

@felixfontein felixfontein mentioned this pull request Oct 16, 2021
Closed
@felixfontein
Copy link
Contributor Author

I'm wondering whether the regenerate option should have more/different values for certificates, or whether there should be multiple regenerate options (for different aspects).

(partial_idempotence and full_idempotence could maybe renamed to idempotence_without_times and idempotence_with_times.)

What do you all think about this?

@felixfontein
Copy link
Contributor Author

(The failing tests are no surprise due to the breaking change. I haven't adjusted the tests yet, that's also why this PR is a WIP.)

@Ajpantuso
Copy link
Collaborator

I'm wondering whether the regenerate option should have more/different values for certificates, or whether there should be multiple regenerate options (for different aspects).

(partial_idempotence and full_idempotence could maybe renamed to idempotence_without_times and idempotence_with_times.)

What do you all think about this?

What you're suggesting sounds to me like a dict that describes an idempotency configuration where each suboption is an aspect of the comparison. never, fail, and always would still make sense in that case, but partial and full would lose meaning and become one choice that refers to the config. I think that would allow for better consistency across modules and avoid repetition in the descriptions (as would be the case if each idempotency config was it's own option). Pretty sure this level of effort exceeds what you were asking though.

@felixfontein
Copy link
Contributor Author

I'm currently tending to not continue with this, but instead take #317.

@felixfontein
Copy link
Contributor Author

Closing in favor of #317.

@felixfontein felixfontein deleted the fix-recreation branch October 30, 2021 14:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
breaking_change
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

x509_certificate does not recreate certificate if ownca_not_after was changed
2 participants
@felixfontein @Ajpantuso